L2Mfix 1.02
Running From:
C:\Documents and Settings\David Steckler\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C access for really "Everyone"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\David Steckler\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\David Steckler\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]
Killing PID 2000 'explorer.exe'
Killing PID 2000 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]
Killing PID 1188 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINDOWS\system32\CNIntRes.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cpypt32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cxpaig32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dhgest.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dxser.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\e802lido180c.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\EgnClass.Dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fppu0379e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hr2405fqe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\idetcplc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iisetup.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\inrnonce.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iqrnonce.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irr0l59m1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j02q0af5ed2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j4n20e5oeh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jxproxy.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k080lalm1dqa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k208lcdu1f08.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\krdbe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l8j8li1u18.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv8u09l9e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m682lglo16qc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mbtext40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\miports.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv8ml9l11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvltus40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nhwmsdrm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p6p60g7se6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q468leju1ho8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rchx32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rDssapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rkmotepg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rwhx32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s4pu0e79eh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SF2stat.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tbbgpp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uoeg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\utrrtosa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\VGAME.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wnwfaxui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wobvw.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\CNIntRes.dll
Successfully Deleted: C:\WINDOWS\system32\CNIntRes.dll
deleting: C:\WINDOWS\system32\cpypt32.dll
Successfully Deleted: C:\WINDOWS\system32\cpypt32.dll
deleting: C:\WINDOWS\system32\cxpaig32.dll
Successfully Deleted: C:\WINDOWS\system32\cxpaig32.dll
deleting: C:\WINDOWS\system32\dhgest.dll
Successfully Deleted: C:\WINDOWS\system32\dhgest.dll
deleting: C:\WINDOWS\system32\dxser.dll
Successfully Deleted: C:\WINDOWS\system32\dxser.dll
deleting: C:\WINDOWS\system32\e802lido180c.dll
Successfully Deleted: C:\WINDOWS\system32\e802lido180c.dll
deleting: C:\WINDOWS\system32\EgnClass.Dll
Successfully Deleted: C:\WINDOWS\system32\EgnClass.Dll
deleting: C:\WINDOWS\system32\fppu0379e.dll
Successfully Deleted: C:\WINDOWS\system32\fppu0379e.dll
deleting: C:\WINDOWS\system32\hr2405fqe.dll
Successfully Deleted: C:\WINDOWS\system32\hr2405fqe.dll
deleting: C:\WINDOWS\system32\idetcplc.dll
Successfully Deleted: C:\WINDOWS\system32\idetcplc.dll
deleting: C:\WINDOWS\system32\iisetup.dll
Successfully Deleted: C:\WINDOWS\system32\iisetup.dll
deleting: C:\WINDOWS\system32\inrnonce.dll
Successfully Deleted: C:\WINDOWS\system32\inrnonce.dll
deleting: C:\WINDOWS\system32\iqrnonce.dll
Successfully Deleted: C:\WINDOWS\system32\iqrnonce.dll
deleting: C:\WINDOWS\system32\irr0l59m1.dll
Successfully Deleted: C:\WINDOWS\system32\irr0l59m1.dll
deleting: C:\WINDOWS\system32\j02q0af5ed2.dll
Successfully Deleted: C:\WINDOWS\system32\j02q0af5ed2.dll
deleting: C:\WINDOWS\system32\j4n20e5oeh.dll
Successfully Deleted: C:\WINDOWS\system32\j4n20e5oeh.dll
deleting: C:\WINDOWS\system32\jxproxy.dll
Successfully Deleted: C:\WINDOWS\system32\jxproxy.dll
deleting: C:\WINDOWS\system32\k080lalm1dqa.dll
Successfully Deleted: C:\WINDOWS\system32\k080lalm1dqa.dll
deleting: C:\WINDOWS\system32\k208lcdu1f08.dll
Successfully Deleted: C:\WINDOWS\system32\k208lcdu1f08.dll
deleting: C:\WINDOWS\system32\krdbe.dll
Successfully Deleted: C:\WINDOWS\system32\krdbe.dll
deleting: C:\WINDOWS\system32\l8j8li1u18.dll
Successfully Deleted: C:\WINDOWS\system32\l8j8li1u18.dll
deleting: C:\WINDOWS\system32\lv8u09l9e.dll
Successfully Deleted: C:\WINDOWS\system32\lv8u09l9e.dll
deleting: C:\WINDOWS\system32\m682lglo16qc.dll
Successfully Deleted: C:\WINDOWS\system32\m682lglo16qc.dll
deleting: C:\WINDOWS\system32\mbtext40.dll
Successfully Deleted: C:\WINDOWS\system32\mbtext40.dll
deleting: C:\WINDOWS\system32\miports.dll
Successfully Deleted: C:\WINDOWS\system32\miports.dll
deleting: C:\WINDOWS\system32\mv8ml9l11.dll
Successfully Deleted: C:\WINDOWS\system32\mv8ml9l11.dll
deleting: C:\WINDOWS\system32\mvltus40.dll
Successfully Deleted: C:\WINDOWS\system32\mvltus40.dll
deleting: C:\WINDOWS\system32\nhwmsdrm.dll
Successfully Deleted: C:\WINDOWS\system32\nhwmsdrm.dll
deleting: C:\WINDOWS\system32\p6p60g7se6.dll
Successfully Deleted: C:\WINDOWS\system32\p6p60g7se6.dll
deleting: C:\WINDOWS\system32\q468leju1ho8.dll
Successfully Deleted: C:\WINDOWS\system32\q468leju1ho8.dll
deleting: C:\WINDOWS\system32\rchx32.dll
Successfully Deleted: C:\WINDOWS\system32\rchx32.dll
deleting: C:\WINDOWS\system32\rDssapi.dll
Successfully Deleted: C:\WINDOWS\system32\rDssapi.dll
deleting: C:\WINDOWS\system32\rkmotepg.dll
Successfully Deleted: C:\WINDOWS\system32\rkmotepg.dll
deleting: C:\WINDOWS\system32\rwhx32.dll
Successfully Deleted: C:\WINDOWS\system32\rwhx32.dll
deleting: C:\WINDOWS\system32\s4pu0e79eh.dll
Successfully Deleted: C:\WINDOWS\system32\s4pu0e79eh.dll
deleting: C:\WINDOWS\system32\SF2stat.DLL
Successfully Deleted: C:\WINDOWS\system32\SF2stat.DLL
deleting: C:\WINDOWS\system32\tbbgpp.dll
Successfully Deleted: C:\WINDOWS\system32\tbbgpp.dll
deleting: C:\WINDOWS\system32\uoeg.dll
Successfully Deleted: C:\WINDOWS\system32\uoeg.dll
deleting: C:\WINDOWS\system32\utrrtosa.dll
Successfully Deleted: C:\WINDOWS\system32\utrrtosa.dll
deleting: C:\WINDOWS\system32\VGAME.DLL
Successfully Deleted: C:\WINDOWS\system32\VGAME.DLL
deleting: C:\WINDOWS\system32\wnwfaxui.dll
Successfully Deleted: C:\WINDOWS\system32\wnwfaxui.dll
deleting: C:\WINDOWS\system32\wobvw.dll
Successfully Deleted: C:\WINDOWS\system32\wobvw.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
Desktop.ini sucessfully removed
Zipping up files for submission:
adding: CNIntRes.dll (164 bytes security) (deflated 4%)
adding: cpypt32.dll (164 bytes security) (deflated 4%)
adding: cxpaig32.dll (164 bytes security) (deflated 4%)
adding: dhgest.dll (164 bytes security) (deflated 3%)
adding: dxser.dll (164 bytes security) (deflated 5%)
adding: e802lido180c.dll (164 bytes security) (deflated 5%)
adding: EgnClass.Dll (164 bytes security) (deflated 4%)
adding: fppu0379e.dll (164 bytes security) (deflated 4%)
adding: hr2405fqe.dll (164 bytes security) (deflated 4%)
adding: idetcplc.dll (164 bytes security) (deflated 4%)
adding: iisetup.dll (164 bytes security) (deflated 3%)
adding: inrnonce.dll (164 bytes security) (deflated 5%)
adding: iqrnonce.dll (164 bytes security) (deflated 4%)
adding: irr0l59m1.dll (164 bytes security) (deflated 4%)
adding: j02q0af5ed2.dll (164 bytes security) (deflated 4%)
adding: j4n20e5oeh.dll (164 bytes security) (deflated 4%)
adding: jxproxy.dll (164 bytes security) (deflated 4%)
adding: k080lalm1dqa.dll (164 bytes security) (deflated 4%)
adding: k208lcdu1f08.dll (164 bytes security) (deflated 3%)
adding: krdbe.dll (164 bytes security) (deflated 4%)
adding: l8j8li1u18.dll (164 bytes security) (deflated 5%)
adding: lv8u09l9e.dll (164 bytes security) (deflated 5%)
adding: m682lglo16qc.dll (164 bytes security) (deflated 4%)
adding: mbtext40.dll (164 bytes security) (deflated 4%)
adding: miports.dll (164 bytes security) (deflated 5%)
adding: mv8ml9l11.dll (164 bytes security) (deflated 4%)
adding: mvltus40.dll (164 bytes security) (deflated 4%)
adding: nhwmsdrm.dll (164 bytes security) (deflated 3%)
adding: p6p60g7se6.dll (164 bytes security) (deflated 4%)
adding: q468leju1ho8.dll (164 bytes security) (deflated 4%)
adding: rchx32.dll (164 bytes security) (deflated 4%)
adding: rDssapi.dll (164 bytes security) (deflated 5%)
adding: rkmotepg.dll (164 bytes security) (deflated 4%)
adding: rwhx32.dll (164 bytes security) (deflated 5%)
adding: s4pu0e79eh.dll (164 bytes security) (deflated 3%)
adding: SF2stat.DLL (164 bytes security) (deflated 4%)
adding: tbbgpp.dll (164 bytes security) (deflated 4%)
adding: uoeg.dll (164 bytes security) (deflated 4%)
adding: utrrtosa.dll (164 bytes security) (deflated 4%)
adding: VGAME.DLL (164 bytes security) (deflated 4%)
adding: wnwfaxui.dll (164 bytes security) (deflated 4%)
adding: wobvw.dll (164 bytes security) (deflated 4%)
adding: guard.tmp (164 bytes security) (deflated 4%)
adding: cecho.reg (164 bytes security) (deflated 2%)
adding: clear.reg (164 bytes security) (deflated 63%)
adding: echo.reg (164 bytes security) (deflated 11%)
adding: desktop.ini (164 bytes security) (deflated 14%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 86%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 67%)
adding: test.txt (164 bytes security) (deflated 81%)
adding: test2.txt (164 bytes security) (deflated 44%)
adding: xfind.txt (164 bytes security) (deflated 76%)
adding: backregs/33B3B32A-523B-44A8-9781-57E026C29B34.reg (164 bytes security) (deflated 70%)
adding: backregs/68784867-E4C9-441F-A930-A45BD5806003.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for really "Everyone"
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: CNIntRes.dll
deleting local copy: cpypt32.dll
deleting local copy: cxpaig32.dll
deleting local copy: dhgest.dll
deleting local copy: dxser.dll
deleting local copy: e802lido180c.dll
deleting local copy: EgnClass.Dll
deleting local copy: fppu0379e.dll
deleting local copy: hr2405fqe.dll
deleting local copy: idetcplc.dll
deleting local copy: iisetup.dll
deleting local copy: inrnonce.dll
deleting local copy: iqrnonce.dll
deleting local copy: irr0l59m1.dll
deleting local copy: j02q0af5ed2.dll
deleting local copy: j4n20e5oeh.dll
deleting local copy: jxproxy.dll
deleting local copy: k080lalm1dqa.dll
deleting local copy: k208lcdu1f08.dll
deleting local copy: krdbe.dll
deleting local copy: l8j8li1u18.dll
deleting local copy: lv8u09l9e.dll
deleting local copy: m682lglo16qc.dll
deleting local copy: mbtext40.dll
deleting local copy: miports.dll
deleting local copy: mv8ml9l11.dll
deleting local copy: mvltus40.dll
deleting local copy: nhwmsdrm.dll
deleting local copy: p6p60g7se6.dll
deleting local copy: q468leju1ho8.dll
deleting local copy: rchx32.dll
deleting local copy: rDssapi.dll
deleting local copy: rkmotepg.dll
deleting local copy: rwhx32.dll
deleting local copy: s4pu0e79eh.dll
deleting local copy: SF2stat.DLL
deleting local copy: tbbgpp.dll
deleting local copy: uoeg.dll
deleting local copy: utrrtosa.dll
deleting local copy: VGAME.DLL
deleting local copy: wnwfaxui.dll
deleting local copy: wobvw.dll
deleting local copy: guard.tmp
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\CNIntRes.dll
C:\WINDOWS\system32\cpypt32.dll
C:\WINDOWS\system32\cxpaig32.dll
C:\WINDOWS\system32\dhgest.dll
C:\WINDOWS\system32\dxser.dll
C:\WINDOWS\system32\e802lido180c.dll
C:\WINDOWS\system32\EgnClass.Dll
C:\WINDOWS\system32\fppu0379e.dll
C:\WINDOWS\system32\hr2405fqe.dll
C:\WINDOWS\system32\idetcplc.dll
C:\WINDOWS\system32\iisetup.dll
C:\WINDOWS\system32\inrnonce.dll
C:\WINDOWS\system32\iqrnonce.dll
C:\WINDOWS\system32\irr0l59m1.dll
C:\WINDOWS\system32\j02q0af5ed2.dll
C:\WINDOWS\system32\j4n20e5oeh.dll
C:\WINDOWS\system32\jxproxy.dll
C:\WINDOWS\system32\k080lalm1dqa.dll
C:\WINDOWS\system32\k208lcdu1f08.dll
C:\WINDOWS\system32\krdbe.dll
C:\WINDOWS\system32\l8j8li1u18.dll
C:\WINDOWS\system32\lv8u09l9e.dll
C:\WINDOWS\system32\m682lglo16qc.dll
C:\WINDOWS\system32\mbtext40.dll
C:\WINDOWS\system32\miports.dll
C:\WINDOWS\system32\mv8ml9l11.dll
C:\WINDOWS\system32\mvltus40.dll
C:\WINDOWS\system32\nhwmsdrm.dll
C:\WINDOWS\system32\p6p60g7se6.dll
C:\WINDOWS\system32\q468leju1ho8.dll
C:\WINDOWS\system32\rchx32.dll
C:\WINDOWS\system32\rDssapi.dll
C:\WINDOWS\system32\rkmotepg.dll
C:\WINDOWS\system32\rwhx32.dll
C:\WINDOWS\system32\s4pu0e79eh.dll
C:\WINDOWS\system32\SF2stat.DLL
C:\WINDOWS\system32\tbbgpp.dll
C:\WINDOWS\system32\uoeg.dll
C:\WINDOWS\system32\utrrtosa.dll
C:\WINDOWS\system32\VGAME.DLL
C:\WINDOWS\system32\wnwfaxui.dll
C:\WINDOWS\system32\wobvw.dll
C:\WINDOWS\system32\guard.tmp
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{8538A21A-8676-48B6-95E1-4125FE1922BB}"=-
"{0C5AF359-84D9-47AE-969D-3B4BE15E02C9}"=-
"{33B3B32A-523B-44A8-9781-57E026C29B34}"=-
"{37959F36-A6C4-4BF6-A867-5D1A2B257A53}"=-
"{8D294AE6-0E74-4117-8877-38EF4D182D92}"=-
"{E0D8AE66-4F22-4B17-A1F9-AA87F2ECAAB9}"=-
"{027A9A25-DBEA-499B-87F6-5775033027CA}"=-
"{DAFB59C9-0D3F-4FF2-A109-62DF1BD278CF}"=-
"{68784867-E4C9-441F-A930-A45BD5806003}"=-
[-HKEY_CLASSES_ROOT\CLSID\{8538A21A-8676-48B6-95E1-4125FE1922BB}]
[-HKEY_CLASSES_ROOT\CLSID\{0C5AF359-84D9-47AE-969D-3B4BE15E02C9}]
[-HKEY_CLASSES_ROOT\CLSID\{33B3B32A-523B-44A8-9781-57E026C29B34}]
[-HKEY_CLASSES_ROOT\CLSID\{37959F36-A6C4-4BF6-A867-5D1A2B257A53}]
[-HKEY_CLASSES_ROOT\CLSID\{8D294AE6-0E74-4117-8877-38EF4D182D92}]
[-HKEY_CLASSES_ROOT\CLSID\{E0D8AE66-4F22-4B17-A1F9-AA87F2ECAAB9}]
[-HKEY_CLASSES_ROOT\CLSID\{027A9A25-DBEA-499B-87F6-5775033027CA}]
[-HKEY_CLASSES_ROOT\CLSID\{DAFB59C9-0D3F-4FF2-A109-62DF1BD278CF}]
[-HKEY_CLASSES_ROOT\CLSID\{68784867-E4C9-441F-A930-A45BD5806003}]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6E7A9FCC-2EED-4124-8A17-4436C34ACA7B}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{6E7A9FCC-2EED-4124-8A17-4436C34ACA7B}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************
Classid's found from regsearch:
****************************************************************************